I am using asp.net 3.5 web.config to limit access and it works great.
<authentication mode="Windows">
<authorization>
<allow users="Bill, John"/>
<deny users="*"/>
</authorization>
Unauthorized (but authenticated) users will be blocked by a system error message saying that:
Server Error in '/' Application
Access is denied.
Description: An error occurred while .......
Error message 401.2: Unauthorized: Logon failed due to server configuration ...
In order to make the message more friendly, I uncomment the customErrors flag and create a GenericErrorPage.htm in the root path of my project.
<customErrors mode="On" defaultRedirect="GenericErrorPage.htm">
<error statusCode="403" redirect="NoAccess.htm" />
<error statusCode="404" redirect="FileNotFound.htm" />
</customErrors>
However, it just doesn't work. I still get the system error message rather than my custom error page.
Any suggestions will be appreciated.
You won't see it - custom error pages are served by the ASP.NET application, but Windows auth is served up by IIS itself.
Now you can set IIS to use different error pages. For IIS7 this needs a separate configuration section;
<system.webServer>
<httpErrors errorMode="Custom" existingResponse="Auto">
<error statusCode="403"
subStatusCode="-1"
prefixLanguageFilePath=""
path="C:\inetpub\wwwroot\errors\403.htm"
responseMode="File" />
</httpErrors>
</system.webServer>
And you'll need to ensure the app pool user has access to that path.
Not having tested this in other scenarios, but looking at some of the suggestions from this detailed article for a similar problem.
The other problem turned out to be:
the access to the error page was blocked by the authorization requirements.
The solution was to use a attribute in the web.config. refer to the link for more detailed explanation but here's a snippet:
<!-- in the same root web config file-->
<configuration>
<system.web>
<authorization>
<allow users="Bill, John"/>
<deny users="?" />
</authorization>
</system.web>
<!-- the page specific authorization-->
<location path="GenericErrorPage.htm"> <!-- other ones for your other pages-->
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
change :
<customErrors mode="RemoteOnly" />
The mode attribute can be one of the following:
* On – error details are not shown to anybody, even local users. If you specified a custom error page it will be always used.
* Off – everyone will see error details, both local and remote users. If you specified a custom error page it will NOT be used.
* RemoteOnly – local users will see detailed error pages with a stack trace and compilation details, while remote users with be presented with a concise page notifying them that an error occurred. If a custom error page is available, it will be shown to the remote users only.
Displaying a concise yet not-so-pretty error page to visitors is still not good enough, so you need to put together a custom error page and specify it this way:
<customErrors
mode="RemoteOnly"
defaultRedirect="~/errors/GeneralError.aspx"
/>